Part 9 - Mapping the MITRE ATT&CK framework to your Kubernetes cluster: Impact on the Cluster

Posted by
Riyaz Walikar
February 26, 2021
· 3 min read

(This is the last of a 9 part blog series that explains the Kubernetes MITRE ATT&CK like Threat Matrix created by Microsoft from an attacker perspective and attempts to provide how real world attackers use the techniques covered in the framework to gain access, execute, persist and explore Kubernetes cluster environments.)

Use this index to navigate to and read the rest of the posts in this series

(This blog post discusses the last tactic described in the MITRE ATT&CK framework for Kubernetes - Impact)

In the last post, we saw the techniques in the Lateral Movement tactic of the MITRE ATT&CK framework for Kubernetes. Let's look at the next tactic, Impact and the techniques that attackers use within this tactic. For reference, here's the framework that Microsoft created as a visual cue to the overall tactics and techniques that attackers use when attacking a Kubernetes cluster.

Kubernetes ATT&CK matrix


The Impact tactic simply describes techniques that are used by attackers to destroy data, abuse access or change the cluster environment in a way to cause a Denial of Service for legitimate users. The techniques that the Impact tactic describes are more consequences of malicious actions that an attacker takes rather than being actual ways of executing the actions that lead the described outcomes.

Data destruction

An attacker, with full cluster control, can scale down deployments, delete storage volumes, terminate running pods, drain nodes or delete any data that is accessible via running services etc.

For example, an attacker could use the credentials obtained from configuration files or the Kubernetes secrets store to connect to a MySQL server and issue DROP DATABASE commands.

Resource Hijacking

This is one of the most common consequences of a cluster compromise, especially for managed instances on the cloud. Attackers gain control of compromised resources and use them to run attacker chosen tasks, like cryptocurrency mining for example.

Denial of service

A Denial of Service would occur when legitimate users of applications running within the cluster are unable to access them. That would additionally be true of any resource object within the cluster. An attacker simply makes the resource unavailable to users by removing the resources, altering its configuration so that it no longer becomes accessible or by updating the resource in a way that it changes the meaning of the resource entirely.


With the Impact tactic, an attacker attempts to prevent the cluster from serving its primary purpose of servicing the users of the cluster. Attackers can destroy data, alter the state of data and resources, make them inaccessible to cause a denial of service or simply hijack the resources to perform malicious pre-orchestrated tasks like cryptocurrency mining and malware hosting.

The MITRE ATT&CK threat matrix serves as a guide to defenders as well as authorized security testers that can be used to understand how an attack could occur on a cluster going all the way from obtaining Initial Access to performing destructive actions via the Impact tactic.


More Articles

An Attacker's Approach to Pentesting IBM Cloud - fwd:cloudsec 2021
Posted by
Riyaz Walikar
September 14, 2021

Slides of the talk presented at fwd:cloudsec 2021, titled - "An Attacker's Approach to Pentesting IBM Cloud". The talk contains examples of attack vectors, interesting things in IBM Cloud and future work to improve documentation.

Read More
Kloudle is a BlackHat USA 2021 Sponsor
Posted by
Akash Mahajan
August 4, 2021

From being trainers at BlackHat to sponsoring at the conference. A bit about our journey in brief.

Read More
You do not want to miss these talks at Black Hat USA!
Posted by
Riyaz Walikar
August 3, 2021

A list of talks in the Cloud Security and Platform domain that we have added to our must watch list of talks as the sheer number of sessions at the Black Hat briefings can be overwhelming!

Read More

Ready to give Kloudle a try?

We help you monitor and prevent any data breaches.

Let's Talk